IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS

EASTERN DIVISION

KEEPER SECURITY, INC., Plaintiff, v. DAN GOODIN and ADVANCE MAGAZINE PUBLISHERS INC. d/b/a CONDÉ NAST and ARS TECHNICA, Defendants.

Civil Action No. 17-cv-9117 JURY TRIAL DEMANDED

COMPLAINT

Plaintiff Keeper Security, Inc. (“Keeper”), for its complaint against Defendants Dan

Goodin (“Goodin”) and Advance Magazine Publishers Inc. d/b/a Condé Nast and Ars Technica

(“Ars Technica”) (collectively the “Defendants”), alleges the following:

Summary Of The Claims

1. On December 15, 2017, the ARS Technica website made false and misleading

statements about the Keeper software application suggesting that it had a 16-month old bug that

allowed sites to steal user passwords. The article contained numerous false and misleading

statements. Ars Technica has revised the article twice, but to date has failed to remove the false

statements. Keeper now asserts claims for defamation, violation of the Illinois Uniform

Deceptive Trade Practices Act, 815 ILCS 510/2, and commercial disparagement under Illinois

law.

The Parties

2. Keeper Security, Inc. is an Illinois corporation having its principal place of

business at 850 West Jackson Boulevard, Suite 500, Chicago, Illinois 60607.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 1 of 11 PageID #:1

- 2 -

3. Keeper is in the business of software security. Keeper creates one of the world’s

most downloaded password management and digital vault software for mobile devices and

computers.

4. Keeper sells and manages a software product called “Keeper® Password Manager

& Digital Vault” for managing user passwords and other private information. It may be

preinstalled on a device (such as a smartphone, tablet or computer) or it can be downloaded from

an Internet site or App store. Keeper protects its users against hackers through its secure and

convenient password manager. The passwords, logins, credit card numbers, bank accounts and

other personal information are saved in a private digital vault that is encrypted and highly

protected. The Keeper software operates as a native software application on Smartphones,

Tablets and Computers, with separate components (which must be separately installed and

logged into by the user) such as the Keeper Browser Extension.

5. Keeper also offers a Browser Extension, which requires discretionary, manual

installation by a user. The Browser Extension allows users to auto-fill login credentials (namely

a user name and password) into websites for access.

6. A user can log into the preinstalled Keeper application, which directs users to

download and install a separate application, namely the Keeper Browser Extension.

7. Keeper is an innovator and leader of password management software in the

United States with several million registered users and thousands of business customers. Keeper

software is published in 21 languages and is sold in over 100 countries.

8. The Keeper product is available over the Internet and in various “App” stores

including Apple’s App store, Google Play store and Microsoft App Store. The Keeper product

has received thousands of five-star reviews on the App stores.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 2 of 11 PageID #:2

- 3 -

9. Keeper has contracts with its users whereby a user pays an annual subscription fee

for use of the Keeper Password Manager & Digital Vault software. Keeper fully expects that it

will retain the users for several years. The users of Keeper’s product rely on the integrity of the

Keeper product, as well as, the reputation of Keeper in deciding to enter and renew annual

subscriptions with Keeper.

10. Ars Technica is the name of an online magazine that provides technology news,

analysis and other information, through the website arstechnica.com.

11. Defendant Dan Goodin is an individual who resides permanently in the San

Francisco area of California, and is a citizen of California. Goodin is the Security Editor at Ars

Technica, where he oversees coverage of malware, computer espionage and hardware hacking.

12. “Ars Technica” and “Condé Nast” are assumed names of Defendant Advance

Magazine Publishers Inc., which owns and operates the Ars Technica website and online

magazine, and numerous other publications under the Condé Nast umbrella.

13. Defendant Advance Magazine Publishers Inc. is a corporation formed in the State

of New York with its principal place of business at One World Trade Center, New York, New

York, 10007. It also is registered to do business in the State of Illinois and has a registered agent

located at 801 Adlai Stevenson Drive, Springfield, Illinois 62703.

14. Ars Technica has offices in Chicago, Illinois.

15. Goodin and Ars Technica are responsible for publishing the Article at issue in this

action.

Jurisdiction and Venue

16. This Court has subject matter jurisdiction pursuant to 28 U.S.C. § 1332. Keeper is

a citizen of the State of Illinois. Goodin is a citizen of the State of California. Ars Technica is a

citizen of the State of New York. Keeper claims damages in this action that exceed $75,000.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 3 of 11 PageID #:3

- 4 -

17. Goodin and Ars Technica are subject to personal jurisdiction under the Illinois

long-arm statute, 735 ILCS 5/2-209, for the reasons alleged herein including the commission of a

tortious act within Illinois.

18. Venue is proper in this judicial district pursuant to 28 U.S.C. § 1391(b) for the

reasons alleged herein, including that a substantial part of the events giving rise to the claim

occurred in this judicial district.

Background Facts

19. Ars Technica owns and operates an online publication on the Internet website

www.arstechnica.com (“the “Ars Technica website”).

20. The Ars Technica website publishes articles in technology, computer science,

software and computer hardware.

21. The Ars Technica website operates under the Condé Nast umbrella of public

websites. Ars Technica has an extensive readership (millions of unique visitors per month)

within the technology industry throughout the United States and in Illinois.

22. The Ars Technica website provides public access to articles about software and

computer applications. The Ars Technica website is directed to residents throughout the United

States, including residents of Illinois. The Ars Technica website is widely followed by residents

of Illinois.

23. Condé Nast touts itself as “attracting more than 120 million consumers across its

industry-leading print, digital and video brands, the company portfolio includes some of the most

iconic media: …Ars Technica….”

24. Goodin and Ars Technica published the Article at issue in this action knowing

and intending that that it would be read by residents of Illinois, and knowing and intending that

the Article would cause injury to Keeper, an Illinois company.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 4 of 11 PageID #:4

- 5 -

25. On December 15, 2017, the Ars Technica website published an article by Goodin

titled: “Microsoft is forcing users to install a critically flawed password manager: Win 10 version

of Keeper has a 16-month old bug allowing sites to steal passwords” (the “Article”). A copy of

the Article in its original form is attached as Exhibit 1.

26. The Article was originally published at the following URL:

https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-

critically-flawed-password-manager/.

27. According to the byline associated with the Article, Goodwin wrote, edited and

assisted in publishing the Article: “Dan Goodin: Dan is the Security Editor at Ars Technica,

which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News

and other Publications.”

28. The readership of the Ars Technica website (and the intended audience of the

Article) includes vendors, investors, customers and partner companies of Keeper, a fact known

by Goodin and Ars Technica at the time of the publication.

29. The Ars Technica website claims that “Ars has been building a real on-line

community since its founding in 1998.” It further touts that it is “one of the Internet’s true

treasure troves, and one of the largest, documented community databases of tips, technical help,

and camaraderie on the planet.”

30. The Article published by Goodin and Ars Technica makes several knowingly

false and misleading statements about Keeper, its employees and its product(s). The following

quotations are examples of the false and misleading statements made in the Article:

1) “Microsoft is forcing users to install a critically flawed password manager.”

2) “Win 10 Version of Keeper has 16-month-old bug allowing sites to steal passwords”;

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 5 of 11 PageID #:5

- 6 -

3) “Microsoft is quietly forcing some Windows 10 computers to install a password manager that contains a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords…”;

4) “…quietly forced…”;

5) “…unwanted app…”;

6) “…allowing any website to steal any password…”;

7) “Fortunately, Windows 10 users aren’t vulnerable unless they open Keeper and begin trusting it with their passwords.”

8) “Still, the incident raises questions about the security vetting Microsoft gives to apps it bundles with Windows.”

9) “If an outsider can find a 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago.”

10) “It’s possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway.”

11) “It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software.”

31. Goodin knew these statements were false. Goodin failed to speak with Keeper,

and failed to verify his facts with Keeper or Microsoft, before publishing the Article.

32. Furthermore, the Article omitted several important facts about the subject of the

Article. Among other things, the Article misled users of any computer running Microsoft

Windows 10, who were led to believe that they were infected simply by having the Keeper

software application installed on their device(s).

33. There has been no reported or actual security breach or loss of customer

information in connection with the subject of the Article.

34. The goal, and result, of the Article was to injure Keeper and its employees, and

disparage Keeper’s products.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 6 of 11 PageID #:6

- 7 -

35. Keeper contacted Goodin on December 15, 2017 to inform him that the Article

contained false and misleading statements and omissions regarding Keeper and its software.

Keeper further informed Goodin that the Article placed Keeper’s “relationships with vendors and

customers” at risk.

36. Keeper provided a written list of the false and misleading statements and

omissions in the Article and described how the Defendants “twisted facts, mischaracterized

several issues and sensationalized the Article with a defamatory headline (and sub-headline) to

destroy [Keeper].”

37. Goodin and Ars Technica revised and republished the Article, but failed to correct

the false and misleading statements and omissions made in the Article.

38. The revised Article contained false and misleading statements, including those

quoted below:

1) “Microsoft forced users to install a password manager with a critical flaw”;

2) “Win 10 version of Keeper had bug allowing sites to steal passwords.”

3) “For almost two weeks, Microsoft quietly forced some Windows 10 computer systems to install a password manager with a browser plugin that contained a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords…”

4) “…the non-bundled version of the Keeper browser plugin 16 months ago that posed the same threat.”

5) “It’s possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway.”

6) “It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software.”

7) “If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago.”; and

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 7 of 11 PageID #:7

- 8 -

8) “Fortunately, Windows 10 users wouldn’t have been vulnerable unless they opened Keeper, registered an account (or logged in if he or she had an existing account), installed the browser plugin and visited a malicious website.”

A copy of the first revised version of the Article is attached as Exhibit 2.

39. Later, the Article was further revised without addressing the false and misleading

statements, for example those quoted below:

1) “For 8 days Windows bundled a password manager with a critical plugin flaw.”

2) “plugin for Win 10 Version of Keeper had bug allowing sites to steal passwords.”

3) “For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday.” 4) “If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.” 5) “It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software.”

A copy of the third and most recent version of the Article is attached as Exhibit 3.

40. All versions of the Article also omitted material facts about the purported

“vulnerability” that was its subject. Before any such “vulnerability” could have any chance to

impact a user, the user would have to be subject to specific conditions and take the following

steps: (1) the user would have to separately install the Keeper Browser Extension; then (2) sign

into the Keeper Browser Extension (which requires the user to first have a registered Keeper

account); then (3) create and store (or have existing and previously created) website login

credentials inside their Keeper Vault; then (4) visit a malicious website set up to steal a user’s

website login credentials; then (5) the malicious website would have to inject a specific type of

malware into the Keeper Browser Extension. This omission from all versions of the Article was

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 8 of 11 PageID #:8

- 9 -

material because without this relevant information, readers were misled to believe that their

computers were infected simply by having Keeper software installed on their devices.

41. The purported “bug” referred to in all versions of the Article was specifically

related to Keeper’s Browser Extension which is not “bundled” or “preloaded”; it is a separate

application that must be separately installed and registered by a user.

42. Goodin and Ars Technica knew that the Keeper Browser Extension is not bundled

or preloaded, yet continued to publish the knowingly false and misleading information. Goodin

and Ars Technica also knew of the other falsehoods and omissions contained in the Article, but

refused to change or retract the Article.

43. Goodin and Ars Technica wrote, published and disseminated all versions of the

Article knowing that statements contained therein were false, and acted in reckless disregard for

the truth or falsity of the statements.

44. The Article was intended to and did cause harm to Keeper.

45. The false and misleading statements in the Article have since been republished by

third parties on other websites, further injuring Keeper.

Claims for Relief

Count I (Defamation)

46. Keeper repeats and realleges the allegations in Paragraphs 1 through 45 above.

47. Defendants published an Article titled “Microsoft Is Forcing Users To Install A

Critically Flawed Password Manager” on December 15, 2017.

48. Defendants subsequently published other versions of the Article.

49. All versions of the Article contained knowingly false and misleading statements

about Keeper, its software and its employees.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 9 of 11 PageID #:9

- 10 -

50. All versions of the Article were published to third parties.

51. Publication of the Article and the revisions has caused damage to Keeper.

52. The Article and all revisions were published with false and defamatory

statements, with knowledge of the falsity, and with reckless disregard of whether the statements

were true or false.

53. As a result of the false and defamatory statements in all versions of the Article

published by Defendants, Keeper has suffered damages to its business, its stakeholder

relationships and other damages which will be proven at trial, in an amount that exceeds

$75,000.

Count II (Uniform Deceptive Trade Practices Act)

54. Keeper repeats and realleges the allegations in Paragraphs 1 through 53 above.

55. Under 815 ILCS 510/2(a)(8): “A person engages in a deceptive trade practice

when, in the course of his or her business, vocation, or occupation, the person . . . disparages the

goods, services, or business of another by false or misleading representation of fact.”

56. Defendants wrote, published and disseminated all versions of the Article in the

course of their business. The statements made in all versions of the Article are false and

misleading representations of fact that disparage the products, services and business of Keeper.

Count III (Commercial Disparagement)

57. Keeper repeats and realleges the allegations in Paragraphs 1 through 56 above.

58. Defendants made statements in all versions of the Article impugning the quality

of the Keeper software product and other aspects of the Keeper services.

59. Defendants made false and demeaning statements regarding the quality of

Keeper’s products and services in all versions of the Article.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 10 of 11 PageID #:10

- 11 -

60. All versions of the Article falsely criticized the quality of Keeper’s products and

services.

61. Keeper suffered damages as a direct result of Defendants’ actions.

Request for Relief

WHEREFORE, Keeper requests that this Court: A. Enter a judgment in favor of Keeper against Goodin and Ars Technica on Counts

I through III;

B. Award damages in favor of Keeper against Goodin and Ars Technica on Counts I

and III;

C. Grant attorney’s fees and costs as provided by law, including 815 ILCS 510/3;

D. Enter an Order permanently enjoining Goodin and Ars Technica, including

removal and full retraction of the Article; and

E. Grant such other and further relief as the Court may deem just and proper.

Jury Demand

Keeper requests a jury trial on all issues.

Dated: December 19, 2017 Respectfully submitted, /s/Dean D. Niro Dean D. Niro (dniro@vvnlaw.com) Patrick F. Solon (solon@vvnlaw.com VITALE, VICKREY, NIRO & GASEY LLP 311 S. Wacker Drive, Suite 2470 Chicago, Illinois 60606 Tel.: (312) 236-0733 Fax: (312) 236-3137 Attorneys for Keeper Security, Inc.

Case: 1:17-cv-09117 Document #: 1 Filed: 12/19/17 Page 11 of 11 PageID #:11

EXHIBIT 1 TO COMPLAINT

Case: 1:17-cv-09117 Document #: 1-1 Filed: 12/19/17 Page 1 of 3 PageID #:12

https://web.archive.org/web/20171215201301/https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

Microsoft is forcing users to install a critically flawed password manager Win 10 version of Keeper has 16-month-old bug allowing sites to steal passwords. DAN GOODIN - 12/15/2017, 11:58 AM

Microsoft is quietly forcing some Windows 10 computers to install a password

manager that contains a critical vulnerability disclosed 16 months ago that

allows websites to steal passwords, a researcher said Friday.

Google Project Zero researcher Tavis Ormandy said in a blog post that the

Keeper Password Manager came pre-installed on a newly built Windows 10

Case: 1:17-cv-09117 Document #: 1-1 Filed: 12/19/17 Page 2 of 3 PageID #:13

system derived directly from the Microsoft Developer Network. When he

tested the unwanted app, he soon found it contained a critical flaw he had

found in August 2016 in the non-bundled version of Keeper. The bug, he

said, represents "a complete compromise of Keeper security, allowing any

website to steal any password."

With only basic changes to "selectors," the old proof-of-concept exploit

worked on the version installed without notice or permission on his Windows

10 system. Ormandy's post linked to this publicly available proof-of-concept

exploit, which steals an end user's Twitter password if it's stored in the

Keeper app. Ormandy said Keeper developers have released a fixed version.

Keeper representatives didn't immediately respond to questions for this post.

Fortunately, Windows 10 users aren't vulnerable unless they open Keeper

and begin trusting it with their passwords. Still, the incident raises questions

about the security vetting Microsoft gives to apps it bundles with Windows. If

an outsider can find a 16-month-old vulnerability so quickly and easily, it

stands to reason people inside the software company should have found it

long ago. Microsoft officials have yet to respond to questions about what

testing it gives to third-party apps before they're pre-installed, and by some

accounts these apps are repeatedly reinstalled against users' wishes on end

users' computers.

It's possible Microsoft has a process in place for ensuring the security of

third-party apps that get installed on Windows 10 machines and that

somehow the Keeper vulnerability slipped through anyway. It's also possible

third-party apps don't come with the same security assurances of other

Microsoft software. Microsoft should provide an explanation how this

happened.

Case: 1:17-cv-09117 Document #: 1-1 Filed: 12/19/17 Page 3 of 3 PageID #:14

EXHIBIT 2 TO COMPLAINT

Case: 1:17-cv-09117 Document #: 1-2 Filed: 12/19/17 Page 1 of 4 PageID #:15

https://web.archive.org/web/20171215220038/https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

Microsoft forced users to install a password manager with a critical

flaw Win 10 version of Keeper had bug allowing sites to steal passwords. DAN GOODIN - 12/15/2017, 11:58 AM

Case: 1:17-cv-09117 Document #: 1-2 Filed: 12/19/17 Page 2 of 4 PageID #:16

For almost two weeks, Microsoft quietly forced some Windows 10 computers to install a password manager with a browser plugin that contained a critical vulnerability almost identical to one disclosed 16 months ago that allows websites to steal passwords, a researcher said Friday. Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found it contained a bug that represents "a complete compromise of Keeper security, allowing any website to steal any password." He said he uncovered a flaw in the non-bundled version of the Keeper browser plugin 16 months ago that posed the same threat. With only basic changes to "selectors," the old proof-of-concept exploit worked on the version installed without notice or permission on his Windows 10 system. Ormandy's post linked to this publicly available proof-of-concept exploit, which steals an end user's Twitter password if it's stored in the Keeper app. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user had the accompanying browser plugin installed. The developer has fixed the flaw in the just-released version 11.4 by removing the vulnerable "add to existing" functionality. Fortunately, Windows 10 users wouldn't have been vulnerable unless they opened Keeper, trusted it with their passwords, and used the browser plugin. If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it long ago. Microsoft officials declined to say what testing it gives to third-party apps before they're pre-installed, and by some accounts these apps are repeatedly reinstalled against users' wishes on end users' computers. The representatives also declined to say what conditions caused Windows 10 computers to install the app. In a statement, the representatives wrote: "We are aware of the report about this third-party app, and the developer is providing updates to protect customers." While Ormandy reported Keeper was installed on a virtual machine created from a version of Windows intended for developers, people participating in the Reddit discussion reported Keeper was also installed on laptops, in one case right after it was taken out of the box and in another after it had been wiped clean and had Windows reinstalled. A third person reported Keeper being installed on a virtual machine created with Windows 10 Pro. It's possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway. It's also possible third-party apps don't come with the same security assurances of other Microsoft software. Microsoft should provide an explanation how this happened and explain the precise conditions under which Keeper and other apps do and don't get installed.

Case: 1:17-cv-09117 Document #: 1-2 Filed: 12/19/17 Page 3 of 4 PageID #:17

This post, including the headline, was updated to add comment from Keeper and Microsoft and to reflect details about the vulnerability and the Windows 10 versions reported to receive automatic installs.

Case: 1:17-cv-09117 Document #: 1-2 Filed: 12/19/17 Page 4 of 4 PageID #:18

EXHIBIT 3 TO COMPLAINT

Case: 1:17-cv-09117 Document #: 1-3 Filed: 12/19/17 Page 1 of 4 PageID #:19

https://web.archive.org/web/20171217002153/https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

For 8 days Windows bundled a password manager with a critical plugin flaw

Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords. DAN GOODIN - 12/15/2017, 11:58 AM

For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday. The flaw was almost identical to one the same researcher disclosed in the same manager plugin 16 months ago that allowed websites to steal passwords. Google Project Zero researcher Tavis Ormandy said in a blog post that the Keeper Password Manager came pre-installed on a newly built Windows 10 system derived directly from the Microsoft Developer Network. When he tested the unwanted app, he soon found the browser plugin the app prompted him to enable contained a bug that represents "a complete

Case: 1:17-cv-09117 Document #: 1-3 Filed: 12/19/17 Page 2 of 4 PageID #:20

compromise of Keeper security, allowing any website to steal any password." He said he uncovered a flaw 16 months ago in the non-bundled version of the Keeper browser plugin that posed the same threat. With only basic changes to "selectors," Ormandy's old proof-of-concept exploit worked on the new Keeper plugin. Ormandy's post linked to this publicly available proof-of-concept exploit, which steals an end user's Twitter password if it's stored in the Keeper app and the plugin is enabled. After this post went live, a Keeper spokesman said the bug was different than the one Ormandy reported 16 months ago. He said it affected only version 11 of the app, which was released on December 6, and then only when a user followed Keeper prompts to install the browser plugin. The developer on Friday fixed the flaw in the just-released version 11.4 by removing the vulnerable "add to existing" functionality. The fix came 24 hours after Ormandy privately reported the flaw to Keeper. Fortunately, Windows 10 users wouldn't have been vulnerable unless they opened Keeper, trusted it with their passwords, and followed prompts to install the browser plugin. If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first. Microsoft officials declined to say what testing it gives to third-party apps before they're pre-installed, and by some accounts these apps are repeatedly reinstalled against users' wishes even after being uninstalled. Microsoft representatives also declined to say what conditions caused Windows 10 computers to install the app. In a statement, the representatives wrote: "We are aware of the report about this third-party app, and the developer is providing updates to protect customers." While Ormandy reported Keeper was installed on a virtual machine created from a version of Windows intended for developers, people participating in the above-linked Reddit discussion reported Keeper was also installed on laptops, in one case right after it was taken out of the box and in another after it had been wiped clean and had Windows reinstalled. A third person reported Keeper being installed on a virtual machine created with Windows 10 Pro. It's possible Microsoft has a process in place for ensuring the security of third-party apps that get installed on Windows 10 machines and that somehow the Keeper vulnerability slipped through anyway. It's also possible third-party apps don't come with the same security assurances of other Microsoft software. Microsoft should provide an explanation how this happened and explain the precise conditions under which Keeper and other apps do and don't get installed. This post, including the headline, was updated to add comment from Keeper and Microsoft and to reflect details about the vulnerability and the Windows 10 versions reported to receive automatic installs. It was later edited to remove characterization the Keeper was forced on some Windows 10 users and to clarify the amount of time the prebundled version was vulnerable and the role of the browser plugin.

Case: 1:17-cv-09117 Document #: 1-3 Filed: 12/19/17 Page 3 of 4 PageID #:21

Case: 1:17-cv-09117 Document #: 1-3 Filed: 12/19/17 Page 4 of 4 PageID #:22